Microsoft previews new ransomware protection feature

In the face of two large-scale ransomware outbreaks affecting its operating systems so far this year, Microsoft has announced how it is working to improve Windows' defences: Windows Defender's Controlled Folder Access feature.

Following the launch of the PetrWrap ransomware earlier this week - an attack which Anton Ivanov and Orkham Mamedov at Kaspersky have suggested may not have been ransomware at all but a targeted data-destruction attack disguised as such - and WannaCry in May, Microsoft has been under pressure to bolster the security of its operating systems. Although the company has been working to patch the holes - leaked to the public as part of a cache of vulnerabilities the US National Security Agency had discovered but not disclosed to vendors - with security updates for the specific vulnerability used and a shift away from the vulnerable SMBv1 file-sharing protocol, Microsoft has also been working on something to help protect against ransomware attacks in general rather than these attacks specifically: Windows Defenders' Controlled Folder Access.

Announced late last night by Microsoft's Dona Sarkar as part of the changes available to Windows Insider beta testers as part of Windows 10 Build 16232, Controlled Folder Access borrows a concept more commonly seen in the mobile realm: assigning rights to specific applications. Traditionally, the ability to read or write from a particular directory is set at two levels: the user level, which allows or denies individual users; and the group level, which allows for a set of users to be permitted or restricted. Controlled Folder Access adds a third level to this hierarchy: application access, allowing directories to be set so that only selected applications are allowed to access the files therein.

'Controlled folder access monitors the changes that apps make to files in certain protected folders,' Sarkar explains of the new functionality. 'If an app attempts to make a change to these files, and the app is blacklisted by the feature, you’ll get a notification about the attempt. You can complement the protected folders with additional locations, and add the apps that you want to allow access to those folders.'

The list of applications and folders to protect is at least partially under Microsoft's control: Microsoft has confirmed that the feature works using an internal whitelist of applications 'determined by Microsoft as friendly,' and while users can force Windows to grant access to an application otherwise blocked there's no option to manually block an application which would otherwise be allowed. A preset selection of protected folders - including the Desktop, Documents folder, and the Pictures and Movies sub-folders - can also not be modified, though additional user-specified folders - including network shares and mapped drives - can be added.

The feature, providing it works at a low enough level, should go some way to help protect users' files from ransomware attacks which silently encrypt files in the background before popping up a demand for payment in exchange for the decryption key. Sadly for those so affected, it's usual that payments result in no such key being provided and the files remaining encrypted - meaning the only possible recovery from such an attack is to recover from a known-clean backup.

Additional new features added to Windows 10 Build 16232, available to Windows Insider members now, include fixes for various bugs and glitches, improvements to the Windows Defender Application Guard for better protection against attacks exploiting the Edge browser, and exploit protection in the Windows Defender Security Centre as a replacement for the soon-to-be-deprecated Enhanced Mitigation Experience Toolkit (EMET). Known issues include a potential 0x80070643 error on upgrading, which Microsoft says it is investigating, and crashes on selected Universal Windows Platform (UWP) applications.

The new security features are due for general release as part of the Fall Creators Update later this year, Microsoft has confirmed